Last Updated: July 4, 2024
Data Processing Addendum (DPA)
1. Introduction
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement (the "Agreement") between Outmarket AI ("Processor") and the Customer ("Controller"). This DPA reflects the parties' agreement with regard to the processing of Data in accordance with applicable data protection laws and regulations.
2. Definitions
2.1 "Customer"
means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
2.2 "Customer Data"
means Customer's content, application data, data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Outmarket AI on behalf of Customer. For the avoidance of doubt, Customer Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer Content.
2.4 "Customer Personal Data"
means Personal Data that is contained within Customer Content.
2.5 "Personal Data"
means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.
2.6 "Data"
means any Customer Data, Customer Content, Customer Personal Data, and Personal Data processed by Processor as part of providing the Services to Controller.
2.7 "Processing"
means any operation or set of operations performed on Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.8 "Sub-processor"
means any third party appointed by or on behalf of Processor to process Data in connection with the Agreement.
2.9 "Data Protection Laws"
means all applicable legislation protecting the fundamental rights and freedoms of individuals and their right to privacy with respect to the processing of Data.
3. Processing of Data
3.1 Processor's Obligations
Processor shall process Data only on documented instructions from Controller, including with regard to transfers of Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 Controller's Obligations
Controller shall provide documented instructions that are compliant with Data Protection Laws. Controller shall ensure that it has obtained all necessary consents, permissions, and notices required for Processor to process Data in accordance with this DPA.
4. Security Measures
4.1 Confidentiality
Processor shall ensure that persons authorized to process Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Security
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:
- The pseudonymization and encryption of Data
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- The ability to restore the availability and access to Data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
5. Multi Tenant Secure System Measures
Processor shall ensure the highest level of measures to maintain data confidentiality and security in a multi tenant secure system, including but not limited to:
- Data Isolation: Ensuring logical data isolation between tenants to prevent unauthorized access to other tenants' Data
- Access Control: Implementing strict access control measures, including role-based access control and multi-factor authentication, to limit access to Data to only those individuals who need it to perform their job duties
- Encryption: Encrypting Data both in transit and at rest using industry-standard encryption algorithms and protocols
- Monitoring and Logging: Continuously monitoring and logging access to Data and system activities to detect and respond to security incidents promptly
- Regular Audits: Conducting regular security audits and vulnerability assessments to identify and mitigate potential security risks
- Data Minimization: Ensuring that only the minimum necessary amount of Data is processed for the specified purposes
6. Sub-processors
6.1 General Authorization
Controller provides general authorization to Processor to engage Sub-processors. Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Controller the opportunity to object to such changes.
6.2 Sub-processor Obligations
Processor shall ensure that the Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.
| Sub-Processor | Subject Matter | Nature and Purpose of Processing | Location(s) of Processing |
|---|---|---|---|
| AWS | Cloud computing and storage | Hosting and processing of structured/unstructured data | USA |
| GCP | Cloud computing and storage | Hosting and processing of structured/unstructured data | USA |
| Google Gemini | AI model inference | Processing natural language queries and AI-based analytics | USA |
| OpenAI | AI model inference | Processing natural language queries and AI-based analytics | USA |
| Anthropic | AI model inference | Processing natural language queries and AI-based analytics | USA |
| Supabase | Database hosting and management | Storing, managing, and retrieving customer data | USA |
| GitHub | Code repository and version control | Managing source code, version control, and CI/CD pipelines | USA |
| Llama Parse | Document parsing and processing | Extracting, parsing, and analyzing structured documents | USA |
| Airbyte | Data integration and ETL processing | Extracting, transforming, and loading data for analysis | USA |
7. Data Subject Rights
Processor shall assist Controller in responding to requests from data subjects to exercise their rights under Data Protection Laws, including access, rectification, erasure, restriction of processing, data portability, and objection to the processing of their Data.
8. Data Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Data. Such notification shall include all relevant information necessary for Controller to meet any obligations to report or inform data subjects of the personal data breach under Data Protection Laws.
9. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which Controller reasonably considers to be required by Data Protection Laws.
10. Deletion or Return of Data
Upon termination or expiration of the Agreement, Processor shall, at Controller's choice, delete or return all Data to Controller and delete existing copies unless applicable law requires storage of the Data.
11. Audit Rights
Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.
12. International Data Transfers
Processor shall not transfer Data to a third country or an international organization without Controller's prior written consent, except where required to do so by Union or Member State law to which Processor is subject.
13. Liability
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
14. Duration and Termination
This DPA shall remain in effect for as long as the Processor processes Data on behalf of the Controller under the Agreement.
15. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
Outmarket Raises $4.7M to Save You 80% of Your Time on Insurance Workflows